> On 23 Jul 2017, at 20:56, Cinder Roxley <[email protected]> wrote:
>
> On July 23, 2017 at 2:27:34 PM, Haravikk ([email protected]
> <mailto:[email protected]>) wrote:
>> After digging around it's starting to look like the answer is a "no" to this
>> capability at present (do feel free to correct me if that's wrong, pretty
>> please!) so I'm thinking about what it would take to add it.
>>
>> There are only really two key features needed to support it however:
>>
>> Add an X-OpenSim-Grid header to llHTTPRequest()
>>
>> The idea here is to add a new X-OpenSim-Grid header to all llHTTPRequest()
>> calls, automatically containing the current grid's login URI, nickname and
>> full name, in a format resembling the following:
>>
>> X-OpenSim-Grid: http://mygrid.com/login <http://mygrid.com/login>;
>> nick_name=my_grid; name="My Grid"
>
> x-grid-info:// makes a better resource identifier for grids:
> https://alchemy.atlassian.net/wiki/pages/viewpage.action?pageId=28737538
> <https://alchemy.atlassian.net/wiki/pages/viewpage.action?pageId=28737538>
> The nick and the name can be easily pulled from get_grid_info/
Hmm, that does look like a good URI scheme; are you suggesting then that an
X-OpenSim-GridInfo header would be more appropriate, providing a URI in that
form? That does seem like a good alternative!
>> Enable Querying of IP and Region Name
>>
>> My thinking is that a new request would be supported on a grid's login URI
>> (if possible); whereby, instead of logging in, the sender queries the grid
>> about whether a given region name exists with a given IP address or not,
>> with the server responding either true or false. There should be no viable
>> risk of exploitation here as the call will only return true if the sender
>> already knows both a valid IP address and region name; all it can therefore
>> do is confirm that <region name> is currently provided by a server at <IP
>> address>.
>
> You can already POST to the grid service to get this information, although
> the grid service isn’t always exposed publicly:
> http://opensimulator.org/wiki/GridService
> <http://opensimulator.org/wiki/GridService>
That same page says that the GridService should only be LAN accessible, so it
seems like some external service for validation would still be more appropriate?
>> Adding this to the login URI seems like the simplest option, but it may not
>> be the cleanest (is it polluting the login URI to have it handle other
>> things like this?), however, with the login URI being the primary point of
>> contact for a grid it seems like the most logical way to do it to me. If
>> anyone has any other ideas where the query should be performed (and how the
>> necessary info can be passed to a web-service) please let comment!
>
> Please don’t pollute the endpoint. While it may be convenient, the login
> service may not even have access to the grid service and it doesn’t belong
> there. The services are tangled up enough as it is. I would think the
> Gatekeeper service would be more appropriate, but don’t quote me on that.
>
Actually on the issue of grid-info, perhaps something of that nature makes
sense? If I've understood correctly, grid-info is retrieved simply by send a
GET /get_grid_info request to the grid's domain and port. Is GridInfo its own
service? Perhaps something in a similar vein to that makes sense, except for
validating IP and region?
>>>>>> Okay, so I just found that there's no way to retrieve a region's UUID in
>>>>>> a script so you can ignore that part; though I had thought it would be a
>>>>>> better way to identify a region (in case a region is renamed).
>
> Also, bear in mind having one, two, five, or one hundred regions with the
> same name on the same ip address is perfectly valid in OpenSim.
This shouldn't be an issue; I just need to know if I'm receiving a request from
an IP hosting a region name that it claims to, basically the intent is a basic
sanity check that a request has come from the grid and region it claims to. As
long as the grid is happy to verify that the IP is hosting the region I got a
request from, then that should be perfectly fine.
>>>>>> Though that does raise the separate question; would there be any harm in
>>>>>> making a region's UUID available to scripts and/or sending it as a HTTP
>>>>>> header? It just seems like it would be a good way to handle any region
>>>>>> that is renamed, because as long as the GUID is kept the same then
>>>>>> web-services (and grids) could recognise that it's the same region and
>>>>>> treat it accordingly.
>
> Changing a region’s UUID is as easy as changing its name, and just as easy to
> spoof in most cases.
True. I'm also now leaning away from using the UUID as it seems like keeping it
private between simulators and grids is the best thing to do, as it provides a
way for grids to limit theft of region names; I don't know if any do this, but
if a region is down a grid could put a hold on its name using its GUID, to
prevent a malicious simulator from stealing that region name (since it'd have
to know the region's UUID as well).
So using that information for any other purpose would reduce security, so
that's a nope on that one!
_______________________________________________
Opensim-dev mailing list
[email protected]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
